Is Self-Hosted Antispam Obsolete?

Software as a service (SaaS) is a hot buzzword in the IT industry at the moment. It's a broad term, covering everything from fully hosted systems, such as Salesforce.com and Microsoft Exchange Online, to systems that combine hosted services with systems you run at your location, such as Azaleos's Exchange Server monitoring and management services or Fortiva's email archiving products. SaaS has both promoters and detractors; as with most IT products and solutions, there are many different opinions about whether SaaS is a good fit for particular applications.

Having said that, I think it's time to acknowledge one area where SaaS is a clear winner: antispam filtering. In my view, there are few reasons to continue running on-premise antispam tools and strong justification for using hosted filtering solutions.

First, consider resource use. Every message stopped by the filtering service represents bandwidth not used to transmit that message to your servers. At 3Sharp, approximately 98 percent of our inbound bandwidth is consumed receiving messages that our Barracuda Spam Firewall 200 appliance promptly marks as spam and throws away. Switching to a hosted service immediately frees that bandwidth. If you're using a software solution for filtering, you should also consider the amount of server resources needed to perform the actual filtering.

The second major reason I think hosted filtering solutions have won the battle is efficiency. There are great economies of scale possible in spam filtering because of the way spammers operate: They send out millions of messages to millions of targets. A well-implemented filtering system can catch a spam message, then use signature-based filtering to block it for every other service subscriber. Self-hosted systems that use collaborative filtering technologies offer the same benefit, but in this case bigger is better. The more subscribers a service has, the more all its users benefit—until the point, of course, where the service loses its ability to provide responsive filtering and customer service!

The third argument in favor of hosted services: Cost. Many antispam software and appliance vendors use a subscription model, which effectively turns what used to be a one-time purchase into an annualized expense—just like a hosted service. Factor in the savings you'll realize with a hosted service in not having to manage, patch, or troubleshoot the solution. However, you can't remove the cost of having an administrator tweak the filtering to reduce false positives; someone will have to do that no matter which antispam solution you use.

The fourth and final argument I advance in favor of SaaS antispam solutions is that they can also do anti-malware filtering at the same time—a great benefit. Of course, this doesn't remove the need for maintaining your own internal anti-malware filtering because not every malware threat arrives via your inbound SMTP traffic.

There are also arguments in favor of self-hosted antispam solutions, of course. Notably, some organizations insist that they need to have ultimate control over filtering behavior. However, if you use a self-hosted product that includes collaborative filtering, you've already ceded that control. Then there are the self-hosted products that give you only minimal control over how filtering works, such as the Exchange Server 2007 Edge Transport role.

Others objectors dislike the idea of having a third-party service seeing all of their inbound mail. However, unless you're using S/MIME—or at least Transport Layer Security (TLS)–protected SMTP—the outside world can already see your messages. There is some theoretical risk involved in having all your mail concentrated through a central service, but you can mitigate this risk by knowing and understanding the service's policies, including whether it's SAS-70 certified.

The broad diversity of service offerings in the filtering market means that virtually every organization can find a combination of services, price, and policy that they find acceptable. Eventually, of course, consolidation in this market will result in the death of some of these service providers, but now—while competition is heated—is a great time to explore the market.

Discuss this Article 6

We took a 30-day trial from Microsoft of their Exchane Hosted Filtering, changing our MX record to point to them, and only accepting incoming mail from their servers. After 10 days, the volume of mail dropped by 95%. We signed up on the spot six months ago and haven't looked back since. Users can login to their own web-based spam account to check if there's anything untoward, but we've had no significant issues in 6 months now. The monthly hosting cost for 500 users vs. the day-to-day monitoring and administration of our old system was a very one-sided battle.

Those are good points.
On the first, your only hope is to use quarantining, which some vendors implement better than others. Of course, that means someone has to go through the quarantine folder-- perhaps that's a task for Mike Rowe and the "Dirty Jobs" show. It won't help if the message is blocked rather than quarantined, however.
On the second, I suspect that you're right, although I question how often that happens. The law of large numbers means that for large organizations it will be pretty common, though, so having a good solution will become more important in the future.
As to Daniel's final paragraph: this is true, but when you consider the extent to which "I don't know" is counterbalanced by "Look how little it costs", it may not be a winning long-term argument :)

You make a number of good points about the advantages of hosted anti-spam, but the two weaknesses I see with it are alluded to by Daniel above. I want to expand on them.
I have not yet found a provider that can let me recover emails they blocked as spam, which are not really spam. This is a critical function that they all seem to fail on.
The second plays into the first; if a user asks me if a mail was caught in our spam filter, I have SMTP logs on my Exchange server that tell me if it was received at all, and spam filter logs that tell me what happened to it AND WHY. Was it an SPF failure, was the sending server on a public blacklist, etc, etc? No hosted service is going to give me access to their SMTP or spam filter logs.
In a world where even the US Army can't implement SPF properly, there are far too many false positives for me to cede spam filtering to someone else at this time. If a vendor comes along that will give me the kind of accountability and control I have with my self-hosted solution, I'll be on board.

I agree with Daniel and JMJ above. We had been using one of the major antispam services for a couple of years, but found that we were getting more and more issues with mail delays, false positives, etc. We recently switched to the Ironports for much the same reasons Daniel described. With the logs now available to me, I have been able to quickly resolve a number of issues that normally would have had me wade through the service's tech support.
The services are fine for smaller businesses that don't have the resources to manage their own, but they just don't seem to scale well to larger enterprises.
Another problem with using SaaS anti-spam/anti-virus is the hassles with verification technologies used by your recipients such as reverse DNS verification and SPF.
As to the costs, we took those into account as well and basically, you get what you pay for.

Some of your assumptions in your article are based upon your experience with self hosted anti-spam solutions to date.
There are vendors such as Ironport that block connections from known spammers right off the bat, saving much of the network bandwidth (and subsequent processing power) you are seeing wasted today with your Barracuda appliance.
Based upon my experience, about the only two advantages to outsourcing a service like this is cost (the worthwhile self-hosted appliances/solutions aren't cheap) and not having to worry about it. With cost you get what you pay for, plain and simple. With not having to worry about it, try changing your configuration with your outsourcing provider (and pray they get it right the first, second, or sixth time), or tracking down that one piece of email your CEO says his contact sent him but never got. So much for piece of mind there.
I will take a GOOD self-hosted solution any day over an outsourced solution, because at the end of the day I am the one ultimately responsible and therefore I need to have ultimate control and reporting capabilities. Management normally won't accept "Gee I don't know...we don't control anti-spam and it probably got filtered somewhere".

That's fine if your mail provider guarantees to deliver, on-time, perfectly filtered content. But of course they don't. Our mail provider was blocking real messages and some messages weren't getting through at all. So we asked them to turn their spam filtering off. We get more spam; but we also no longer miss important messages.

Azure Master Class

Every organization is currently evaluating how they can utilize the public cloud, what it means, and how to actually get started. This 12 session Master Class will equip you with everything you need to understand, evaluate, deploy and maintain environments that utilize Microsoft Azure including hybrid scenarios.